Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

- -Cyber Defense Summit & Training | Nashville, TN | August 11-18, 2015 | Chaired by Dr. Eric Cole the two-day summit will teach you how to implement best practices and proven techniques enabling you to stay on top of today's threats and ahead of tomorrow's. With 5 courses: SEC511, SEC401, SEC503, SEC504, SEC566. http://www.sans.org/u/53I

- -Security Awareness Summit & Training | Philadelphia | August 17-25 | 5 Courses including MGT433 taught by Lance Spitzner. At the summit hear security awareness officers share inside knowledge on how they took their awareness programs to the next level and how they measured the impact. http://www.sans.org/u/53N

TOP OF THE NEWS

OPM Chiefs Face Congress Over Breach (June 16, 2015)

A Department of Homeland Security Official said that encryption would not have helped protect the data exposed in the OPM breach because the intruders managed to obtain valid user credentials. -http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/ House Committee Chairman Jason Chaffetz (R-Utah) called on the president to fire OPM officials, saying "If we want a different result, we're going to have to have different people." -http://thehill.com/policy/cybersecurity/245145-gop-chair-fire-opm-director-over-hack[Editor's Note (Pescatore): So, back to the "hit the snooze button on the alarm about moving away from reusable passwords": Why is the government still talking about Smart Card-based PIV cards for authentication, but few if any critical applications seem to actually require their use? The September 2014 OMB Annual FISMA Report to Congress showed that OPM required PIV use on exactly zero percent of network access. (Cornelius): I'm not sure cutting the head off the snake is the solution in this case. I don't think anyone really believes that these issues are isolated to the OPM alone. There are far greater, systemic problems that have been perpetuated though every federal network. Some say it's a people problem, which is true. Some say it's a technology problem, also true. Others say it's the cumbersome processes that must be abided by in the federal space, true again. In my mind the government (at least in the broad sense, I'm sure there are pockets of excellence) seems to fall short in all the areas of cybersecurity that we would consider to be fundamental. The question in my mind is: "what can be done to change the overall security posture of the entire federal space in short order?" I'm sure there will be plenty of sage advice given to the government and new special spending measures enacted, but do we as a community have the capacity to provide a solution that the government has the capability to implement in a meaningful way? (Honan): This is timely reminder to people that encryption by itself is not a silver bullet to security and is simply just another control amongst others that need to be in place to properly secure systems. This testimony also highlights how under-investment and cost cutting in IT and in information security will inevitably cost an organization more. ]

Legacy Systems Are Not the Only Reason for OPM Breach (June 17, 2015)

Office of Personnel Management (OPM) officials pointed to legacy systems as a central reason for the attacks on the OPM's network. While it is true that the older systems do not support adequate encryption and other methods of data protection, other factors, including a lack of adequate talent, poor network design, and focusing on security reactively rather than proactively, contributed to the breaches as well. -http://www.zdnet.com/article/feds-cyber-security-woes-cant-all-be-blamed-on-legacy-systems/[Editor's Note (Assante): The first reason advanced in this piece is talent, but I would like to dive a little deeper on this important topic. Federal organizations must field an appropriate number of technically skilled staff serving in cyber defense critical roles. More important than the actual number is the balance or mix of roles and skills in sufficient numbers to achieve the necessary critical mass for a functional defense. We need to do better by striving for the appropriate balance between implementing and sustaining passive defenses and good hygiene while fielding a team that takes a more active defense approach capable of rapidly detecting footholds and quickly collapsing attacker free time. (Murray): Resisting future breaches is necessary but not sufficient. The Verizon Data Breach Incident Report suggests that the time to detection of breaches is measured in months. Managers of large organizations must also be looking for evidence of earlier and continuing breaches. (Pescatore): Lots of excuses being given, but two major failures really rise to the "disconnect them from the Internet" level of concern: (1) OPM had a serious breach just one year ago and hadn't addressed the problems yet; and (2) the Department of the Interior shared services data center hosted the OPM application and apparently had nothing indicating attacks or breaches - or unusual outflow. Remember, back in the 2001 - 2004 time frame a federal judge required the Department of Interior to disconnect systems from the Internet because of failure to protect Bureau of Indian affairs information. (Weatherford): This continues to be a leadership problem. I guarantee if you go into these federal agencies and ask the IT administrators and security engineers, they understand the problems. They may not have the skills to fix them, but they understand them. Leadership within the agencies are not listening and therefore not prioritizing, and the historically broken IT acquisition process (another leadership problem) compounds the problem. Anyone who understands technology understands that when you write an RFP that takes two years to get through the process, you are far too often deploying something that innovation has left in the dust. ]**************************** SPONSORED LINKS ****************************** 1) Protecting ICS Investments - Mike Assante and Ultra Electronics 3eTI. Friday, June 26 at 1:00 PM EST http://www.sans.org/info/178542

Samsung Will Release Fix for Galaxy Smartphones (June 17 7& 18, 2015)

Samsung plans to release a fix for a critical security flaw that affects more than 600 million of its mobile phones. The issue affects Galaxy smartphones that come with the SwiftKey keyboard preinstalled. The flaw could be exploited to access data on the devices. Galaxy devices running Knox security software will receive a new security policy that makes the vulnerability invalid. Phones that are not running Knox will have to wait until a firmware update is ready. -http://www.zdnet.com/article/samsung-plans-security-fix-for-600-million-galaxy-phones/-http://www.csmonitor.com/Technology/2015/0617/Is-your-Samsung-Galaxy-vulnerable-to-hackers[Editor's Note (Murray): Unfortunately, these reports do not contain sufficient information to enable Android/SwiftKey users to know whether or not they are vulnerable or how to limit the risk while waiting for a fix. This is a general problem with the Android supply chain. Mobile users with sensitive applications, data, messages, or voice call content should prefer closed systems (iOS). ]

Free Digital Certificate Project (June 17, 2015)

The Let's Encrypt Project wants to increase the use of encryption on websites by offering free digital certificates. A corporation backed by technology companies, including Mozilla, Akamai, Cisco, and the Electronic Frontier Foundation (EFF), runs the project. Let's Encrypt expects to release the first certificates in July. -http://www.computerworld.com/article/2936347/security/free-ssltls-certificate-project-moves-closer-to-launch.html[Editor's Note (Pescatore): This is like offering to go into an area after a hurricane and offer house painting to all the houses without roofs. I'd rather see all those folks offer free web application vulnerability scanning and remediation services to those web sites and once those glaring vulnerabilities are fixed then start worrying about SSL. ]

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/